Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move spring-data-mongodb to compileOnly dependency #623

Closed
wants to merge 1 commit into from
Closed

Move spring-data-mongodb to compileOnly dependency #623

wants to merge 1 commit into from

Conversation

timtebeek
Copy link
Contributor

What's your motivation?

Up to now we had had a runtime spring-data-mongodb dependency, as seen in:
https://repo1.maven.org/maven2/org/openrewrite/recipe/rewrite-spring/5.22.0/rewrite-spring-5.22.0.pom

<dependency>
  <groupId>org.springframework.data</groupId>
  <artifactId>spring-data-mongodb</artifactId>
  <version>2.2.12.RELEASE</version>
  <scope>runtime</scope>
  <exclusions>
    <exclusion>
      <groupId>org.springframework</groupId>
      <artifactId>*</artifactId>
    </exclusion>
  </exclusions>
</dependency>

But we've seen this fail when organizations block access to vulnerable dependencies, as I had a case today where the excluded spring-core:5.2.12.RELEASE lead to a 404 and failure to install the rewrite-spring recipe jar, via this chain of downloads
https://repo1.maven.org/maven2/org/springframework/data/spring-data-mongodb/2.2.12.RELEASE/spring-data-mongodb-2.2.12.RELEASE.pom
https://repo1.maven.org/maven2/org/springframework/data/spring-data-mongodb-parent/2.2.12.RELEASE/spring-data-mongodb-parent-2.2.12.RELEASE.pom
https://repo1.maven.org/maven2/org/springframework/data/build/spring-data-parent/2.2.12.RELEASE/spring-data-parent-2.2.12.RELEASE.pom

With the change we drop that runtime classpath dependency, but possible break the recipe.

Anything in particular you'd like reviewers to focus on?

The generated recipe still uses JavaParser.runtimeClasspath(); I'm wondering if this change will break that, and/or whether we should switch to using classpathFromResources there, and possibly then drop the Refaster recipe

final JavaTemplate before = JavaTemplate
        .builder("new org.springframework.data.mongodb.core.SimpleMongoDbFactory(new com.mongodb.MongoClientURI(#{uri:any(java.lang.String)}))")
        .javaParser(JavaParser.fromJavaVersion().classpath(JavaParser.runtimeClasspath()))
        .build();
final JavaTemplate after = JavaTemplate
        .builder("new org.springframework.data.mongodb.core.SimpleMongoClientDbFactory(#{uri:any(java.lang.String)})")
        .javaParser(JavaParser.fromJavaVersion().classpath(JavaParser.runtimeClasspath()))
        .build();

Anyone you would like to review specifically?

@knutwannheden

Have you considered any alternatives or workarounds?

  • We could ensure that excluded dependencies are not downloaded, if we don't already do so in openrewrite/rewrite.
  • We could add a visitor that uses LST types and a regular MethodMatcher, as opposed to a JavaTemplate.Matcher.

@timtebeek timtebeek self-assigned this Nov 12, 2024
@timtebeek timtebeek closed this Nov 14, 2024
@timtebeek timtebeek deleted the spring-data-mongodb-compileOnly branch November 26, 2024 19:32
@timtebeek
Copy link
Contributor Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@timtebeek timtebeek

Labels
None yet
Projects
OpenRewrite
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@timtebeek